Solved: UBA user risk score

dellytaniasetia · ‎10-21-2016

Hi

can I get user risk score in UBA from Splunk ES search command, given the user name.

Thanks,

David · ‎10-21-2016

Not directly, no. However, Splunk ES can ingest anomalies and threats, which can then impact the ES risk score. Out of the box, we will increase the ES risk score for any threats, and you could easily create a new correlation search looking for the anomalies (index=ueba uba_evt_type=anomaly if my memory serves) that would not create a notable event, but would create a risk entry. That would allow anomalies to also impact your ES risk score.

Does that seem like it might meet your needs?

View solution in original post

David · ‎10-21-2016

Not directly, no. However, Splunk ES can ingest anomalies and threats, which can then impact the ES risk score. Out of the box, we will increase the ES risk score for any threats, and you could easily create a new correlation search looking for the anomalies (index=ueba uba_evt_type=anomaly if my memory serves) that would not create a notable event, but would create a risk entry. That would allow anomalies to also impact your ES risk score.

Does that seem like it might meet your needs?

dellytaniasetia · ‎10-27-2016

Hello,

How about to get daily dynamic lookup from UBA containing high-risk user? is it possible?

thanks again

UBA user risk score

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform